A new variant of the Mirai botnet, tracked as “V3G4”, targets 13 vulnerabilities in Linux-based servers and IoT devices for use in DDoS (Distributed Denial of Service) attacks. The malware spreads by exploiting weak or standard telnet/SSH credentials and exploiting hard-coded flaws to execute remote code on target devices. When a device is compromised, malware infects the device and incorporates the device into its botnet.

The malware was discovered in three different campaigns by Palo Alto Networks researchers, who reported that it tracked malicious activity between July 2022 and December 2022.

Unit 42 believes that all three waves of attacks originated from the same threat actor because the hardcoded C2 domains contain the same sequence, the shell script downloads are similar, and the botnet clients used in all attacks have the same functionality.

V3G4 attacks start by exploiting one of the following 13 vulnerabilities:

• CVE-2012-4869: Remote execution of FreePBX Elastix commands
• Large remote command execution
• CVE-2014-9727: Remote execution of FRITZ!Box webcam commands
• Remote execution of Mitel AWC commands
• CVE-2017-5173: Remote command execution of Geutebruck IP cameras
• CVE-2019-15107: Webmin command injection
• Executing an optional Spree Commerce command
• Remote execution of FLIR Thermal Camera commands
• CVE-2020-8515: DrayTek Vigor remote command execution
• CVE-2020-15415: DrayTek Vigor remote command execution
• CVE-2022-36267: Remote execution of Airspan AirSpot commands
• CVE-2022-26134: Atlassian Confluence remote command execution
• CVE-2022-4257: C-Data Web Management System command injection

V3G4 targeted vulnerabilities (block 42)

When the target device is compromised, the Mirai-based payload is released to the system and tries to connect to the hard-coded C2 address. The botnet also attempts to terminate a number of processes from a hard-coded list containing other competing botnet malware families.

One feature that sets the V3G4 apart from most Mirai variants is that it uses four different XOR encryption keys instead of one, making it difficult for the malware to reverse code and decode its functions.

When propagating to other devices, the botnet uses a telnet/SSH relay method that attempts to connect using default or weak credentials. Unit 42 observed that earlier variants of the malware used both telnet/SSH spoofing and exploits to spread, while later instances did not use a scanner.

Finally, compromised devices receive DDoS commands directly from C2, including TCP, UDP, SYN, and HTTP methods.

V3G4 probably sells DDoS services to customers looking to disrupt certain websites or online services. However, this option is currently not tied to a specific service. As always, the best way to protect your devices from infections like Mirai is to change the default password and install the latest security updates.